Cyble-Zoom-Vidar

New Malware Campaign Targets Zoom Users

Fake Zoom Sites Spreading Vidar Stealer

During a routine threat hunting exercise, Cyble Research and Intelligence Labs (CRIL) came across a tweet where a researcher mentioned the creation of multiple fake Zoom sites. All these sites have the same user interface. These sites are created with the express intent of spreading malware disguised as the legitimate Zoom application.

During further investigation, we discovered that these sites were spreading Vidar Stealer. Vidar is an Information Stealing malware that steals the victim’s banking information, saved passwords, IP addresses, browser history, login credentials, and crypto-wallets. This stealer has links to the Arkei stealer. The figure below shows the Fake Zoom Site.

Figure 1 – Fake Zoom Site

Analysis

The fake Zoom sites which are currently in use include:

  • zoom-download[.]host
  • zoom-download[.]space
  • zoom-download[.]fun
  • zoomus[.]host
  • zoomus[.]tech
  • zoomus[.]website

The site redirects to the following GitHub URL in the backend to download the malicious application.

https[:]//github[.]com/sgrfbnfhgrhthr/csdvmghfmgfd/raw/main/Zoom.zip. The figure below shows the redirects that occurred in the backend.

Figure 2 – Backend Site Redirects

Upon execution, the malicious application drops two binaries in the temporary folder :

  • ZOOMIN~1.EXE
  • Decoder.exe

Decoder.exe is a malicious .NET binary that injects the malicious stealer code into MSBuild.exe. Microsoft Build Engine (MSBuild) is a platform used to build applications. ZOOMIN~1.EXE is a clean file that launches the legitimate Zoom installer.

Figure 3 – Execution Flow

The figure below shows the Process Tree of the malicious application.

Figure 4 – Process Tree

After being injected into MSBuild.exe, the malware extracts the IP addresses that host the DLLs and configuration data. The malware uses the below mentioned URLs to extract the IP addresses if anyone of them are online.

  • https[:]//t[.]me/karacakahve
  • https[:]//ieji[.]de/@tiagoa96

The figure below shows the malware’s network activity.

Figure 5 – Network Activity

Threat Actors (TA) have used this technique to hide Command and Control (C&C) IP addresses. The figure below shows the IP present on the profile description of Telegram user “@karacakahve” and user ID “@tiagoa96” on ieji.de.

Figure 6 – Hiding the C&C IP in description

The malware receives the configuration data and DLLs from the C&C servers at this stage. The figure below displays the network activity with the C&C server.

Figure 7 – C&C Communication

We found that this malware had overlapping Tactics, Techniques, and Procedures (TTPs) with Vidar Stealer. In comparison with our previous analysis of Vidar Stealer, this malware Payload hides the C&C IP address in the Telegram description. The rest of the infection techniques appear to be similar.

The figure below shows the Hardcoded stealer strings.

Figure 8 – Hardcoded Vidar Stealer Strings

Upon successful execution, the malware uses the following commands to uninstall itself from the victim’s device.

“C:\Windows\System32\cmd.exe” /c taskkill /im MSBuild.exe /f & timeout /t 6 & del /f /q

“C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe” & del C:\PrograData\*.dll & exit

Conclusion

Based on our recent observations, TAs actively run multiple campaigns to spread information stealers. Stealer Logs can provide access to compromised endpoints, which are sold on cybercrime marketplaces. We have seen multiple breaches where stealer logs have provided the necessary initial access to the victim’s network. This campaign appears to target Zoom users. We suggest identifying the legitimacy of the source before downloading any executables.

Our Recommendations 

​We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: ​ 

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., contains such malware.  
  • Use strong passwords and enforce multi-factor authentication wherever possible.   
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices.  
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.   
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.  
  • Block URLs that could be used to spread the malware, e.g., Torrent/Warez.  
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques 

 

​Tactic ​Technique ID ​Technique Name 
​Initial Access T1566 ​Phishing 
​Execution T1204 ​User Execution 
​Credential Access T1555 
T1539 
T1552 
​Credentials from Password Stores 
Steal Web Session Cookie 
Unsecured Credentials 
​Collection T1113 ​Screen Capture 
​Discovery T1087 
T1518  ​
T1057 
T1007  ​
T1614 
​Account Discovery  ​
Software Discovery 
​Process Discovery  ​
System Service Discovery  ​
System Location Discovery 
​Command and Control T1095 ​Non-Application Layer Protocol 
​Exfiltration T1041 ​Exfiltration Over C&C Channel   

 

Indicators of Compromise (IoCs):   

 

​Indicators ​Indicator type ​Description 
19aff3d6ed110a9037aff507cac4077f
caa99a9682d20e657b58d9d508f6d4921d6b606b
f2efaa8e2d001d9c7872ab0a374480bec010aeaa9dbdb932cc058530ad125217
MD5
SHA1
SHA256
Malicious Zoom Application
19AFF3D6ED110A9037AFF507CAC4077F
a8917dc3caf3485108485bf12c79de8f792e415e
32fa5edf4da5eff4ca9313f3466df85da73a6e2498b2c88ad1e3403b3979e6f4
MD5
SHA1
SHA256
Loader File
79[.]124.78.206IPC&C IP
116[.]202.179.139IPC&C IP
193[.]106.191.223IPMalicious IP
Scroll to Top